Posted
by
Soulskill
on Friday October 11, 2013 @11:23AM
from the getaway-car-and-a-pocket-full-of-flash-drives dept.

pacopico writes "A series of robberies in Silicon Valley have start-ups feeling nervous. According to this report in Businessweek, a couple of networking companies were burgled recently with attempts made to steal their source code. The fear is that virtual attacks have now turned physical and that espionage in the area is on the rise. As a result, companies are now doing more physical penetration testing, including one case in which a guy was mailed in a FedEx box in a bid to try and break into a start-up."

At the risk of overgeneralizng:-) I'd say that the Chinese are so uncreative that stealing and copying is their main business. To whit,
The keyboard I am using right now was made in China and it is a disaster of design. I'd love to find the designer and stir fry him, BTW, I bought it at Fry's, which is my first mistake, since that chain is a master of selling ciunterfit and broken stuff.

It's not exactly racist. It's a reference to a scene in Weird Al's movie UHF. I suppose you could argue that making a joke about accents is racist, but seeing as it isn't really derogatory in any way, I'm not sure how it would be. (The height is a reference to the height of the actor in the movie.)

How can a blonde haired blue eyed Bostonian be racist against a blonde haired blue eyed Texan? Making fun of accents has nothing to do with race. In fact, accents themselves have nothing to do with race and everything to do with growing up in a certain location. I know a man whose parents are both Japanese, he was adopted by a Chicago couple in infancy. Guess what? He speaks with a Chicago accent.

It goes from corporate espionage to some guy stealing credit card numbers as a 'hobby'.

I work at a major corporation that has security cards to get into the building and my computer is password protected with an encrypted hard drive & a physical lock on the computer. Are security guards with guns really necessary?

It goes from corporate espionage to some guy stealing credit card numbers as a 'hobby'.

I work at a major corporation that has security cards to get into the building and my computer is password protected with an encrypted hard drive & a physical lock on the computer. Are security guards with guns really necessary?

A security-minded person would say 'yes, because security guards with guns deter threats that locks and passwords do not.' If your valuables are really that valuable, then there is no such thing as too much security.

Of course, the article is mainly focused on start-ups who rarely focus on security, not large corporations who have years experience at deterring the bad guys.

Well, there is if you burden it with so much security that people start taking shortcuts to use it that leave you more vulnerable, but I get what you mean. It's important to remember that even in high security situations, it's still a balancing act though.

Bullshit. People will always take short cuts, even in the military. But if your company exists to create software, the guys who create software are ultimately the real assets.

Good security revolves around understanding that people take shortcuts. Make the right thing to do easier than the wrong thing. For example, any security door between where people sit and the smoking area will be propped open - guaranteed. You can try to resolve that with shouting, or you can simply build a smoking area inside the

When I worked in a hardware lab, I remember the time facilities put lock-boxes around the thermostats. Hilarity ensued. Eventually, there would be no physical evidence of how the thermostats would mysteriously change settings inside their lockboxes.

You didn't make an argument, you just said people will ignore the rules. And those people should be fired. The reducto ab absurdum of your argument is that we shouldn't have any laws against murder as there will be murderers. And that we don't need knowledgeable and skilled surgeons as it's easier to be ignorant and unskilled.

The reality is that in certain environments, good security craft is as much of the job as good software development skills -- and I'm not saying writing secure software, to help clarif

Yes that was my argument: your approach is simply not realistic. Security people always say "just fire everyone who doesn't comply", but in the real world they rarely have that sort of power, nor should they.

If the purpose of your company is to guard something, then fine. That's unlikely to be a Silly Valley startup. If the purpose of your company is to invent something cool, something worth guarding, then the inventers are more important than the security guards. Thus you want to work with human nature

You didn't make an argument, you just said people will ignore the rules. And those people should be fired.

This is the problem with authoritarian security assholes in a nutshell. They figure out the most expedient way they can get their job -- security -- done. And they don't care how much harder it makes everyone else's job, because they figure if those people resist, they can just be fired.

Actually, the people taking shortcuts should be educated on why not to take shortcuts and the procedures reviewed to see if they can be improved. Overly burdensome security will harm moral and could possibly increase the chance of an internal breach, which is always the biggest risk since the people inside are supposed to have at least some access.

That education should happen on the first day they are working for you and if they aren't willing to follow procedures then they aren't aligned with your business interests and have no reason to be working for you.

At this point I'm going to assume you are either trolling or like to work with robots (who by the way tend to not be very good innovators). Yes, the education should happen on day one, but not everyone is (or should be) a security professional, so sometimes they will need reminding. Firing them immediately isn't the answer, reminding them sternly and letting them know that if problems continue, then they will be fired is. Certainly, if they regularly, recklessly disregard policy, then they need to go, bu

A security-minded person would say 'yes, because security guards with guns deter threats that locks and passwords do not.' If your valuables are really that valuable, then there is no such thing as too much security.

Of course, the article is mainly focused on start-ups who rarely focus on security, not large corporations who have years experience at deterring the bad guys.

Just as real computer security is hard, so is real physical security.

I think I've worked maybe one place that had what I would consider real physical security that was worth much of anything. (And it wasn't the military, but rather a military contractor.)

It goes from corporate espionage to some guy stealing credit card numbers as a 'hobby'.

I work at a major corporation that has security cards to get into the building and my computer is password protected with an encrypted hard drive & a physical lock on the computer. Are security guards with guns really necessary?

A security-minded person would say 'yes, because security guards with guns deter threats that locks and passwords do not.' If your valuables are really that valuable, then there is no such thing as too much security.

Of course, the article is mainly focused on start-ups who rarely focus on security, not large corporations who have years experience at deterring the bad guys.

The guards are there to prevent thieves from walking out with desktops, laptops, monitors, and whatever else could be put in the back of a truck that is allowed up to the loading dock.

This is the problem with security -- people tout how necessary these things are based on negative results. In other words, armed guards must be necessary because nobody has tried to rob the place at gunpoint.

It's just like all the paranoia around airport security -- because nobody has hijacked a plane, the TSA must be doing a good job, right?

This is the problem with security -- people tout how necessary these things are based on negative results.

No they don't. Well, at least not anyone who is not an idiot or a strawman.

Informed people claim these things are necessary based on risk assessment and vulnerability analysis. If the information you are protecting is valuable enough for someone to risk an armed assault on your premises, then you may need armed guards to mitigate that risk.

In fact, the exact opposite of what you claim tends to occur quite frequently: No one has attempted to rob us so we don't need these armed guards!

This is the problem with security -- people tout how necessary these things are based on negative results. In other words, armed guards must be necessary because nobody has tried to rob the place at gunpoint.

It's just like all the paranoia around airport security -- because nobody has hijacked a plane, the TSA must be doing a good job, right?

To be fair, the same tautology is used in reverse -- physical security obviously isn't needed because nobody is ever caught by them.

What you really need is some logical tests and bet hedging. This is what went into seatbelt laws, whose results have been measurable, and have saved insurance companies a ton of money.

So... do startups with decent physical security on average make more of a profit than those without? This is the true measure of whether it's needed.

So... do startups with decent physical security on average make more of a profit than those without? This is the true measure of whether it's needed.

While I mostly agree with you, I'd want to just measure what security problems they had and at what cost, rather than their profitability. Startups are too few, too different, and too rarely profitable to measure based on profit. And in many cases the most profitable of current startups in 10 years will grow huge and have a lot of success, before ever becoming profitable. With a big enough data set, then yeah, you'd have enough companies that did or didn't go out of business based on their security choices

With a big enough data set, then yeah, you'd have enough companies that did or didn't go out of business based on their security choices to make that meaningful. But that data set isn't that big, and the failure rate is too high.

True, and you'd also have to take into account the number of startups that didn't "start up" due to investing in physical security instead of putting that money into R&D.

With a little social engineering and determination, it's surprisingly easy (I hear) to bypass the entry controls in a lot of places.

Hell, put on a green uniform and carry a clip-board and they might hold the door open for you.

I've been at places which have a policy that if you don't recognize someone, challenge them as to why they're there. I once stopped a VP and said "ummm, who the heck are you and how did you get in?" because he had never seen before but was standing outside the lab. He was surprisingly nice about it too.

So it all depends on how valuable what you have is, and how likely someone is to take pains to get it. From the sounds of it, this is due to actual incidents which have happened.

This exact scenario happened recently where I currently work. An executive from headquarters showed up with his party to inspect a new data center, his staff had accidentally left his name off the list of people to be granted temporary access. He made all kinds of noise about it, but ended up sitting in the lobby while the rest of the party took in the dog and pony show. Once he got home and cooled down he sent a letter of commendation to the guard staff at the data center. Don't know what happened to the staffer that left his name off the list.

Right after 9/11 I asked our electrician if he had been experiencing more difficulty getting into buildings to do work. I figured with security on everyone's mind it would be more challenging to show up and gain access to sensitive areas of downtown office buildings.

He just laughed and said no. He said if I took one of his work uniform shirts (company logo polo) and carried a bunch of tools with me I could walk into any building security office downtown and check out master keys merely by handing them my driver's license. No questions asked.

My guess is with the right employee uniform you can get away with going a lot of places you don't belong. You could probably do some serious mayhem in the local telco uniform as this would probably get you into any wiring closet in the building, and often they have patch panels and switches for local networks.

A month or two ago in manhattan someone waltzed into a nice car storage wearing a local high end mechanics uniform and said he was there to pick up a luxury car for work. The attendant gave him the keys and poof, have a good day, dude disappeared. Turns out he had been recently fired from said mechanic. Can't remember what the guy made off with but it was a $3-400K car. I also can't imagine wtf the dude was planning on doing with it.

Yup. In my first job we were doing overnight upgrades in a store, and as a precaution, we had to get the address from every cash register before we started...just in case. This meant going into a busy department store that we had never set foot in before (1 night per store), walk in, and fiddle with cash registers. Security, of course, knew we were coming but, you think anyone else knew?

My first few nights, I walked in, even with my red shirt and company logo, it was a pain. I would walk up to the lines and

I think it's always been this way though, when I was 17 and I wanted to get served at pubs that were strict on ID'ing people I'd just flash up my drivers license and they'd serve me. None of them stopped to think that anyone would have the cheek to hand over their license and actually be underage so rather than check the DOB on it they just assumed "Oh he has ID" and served you.

Similarly on the trains once, I used to buy a monthly pass, but it was a day out one day and I didn't realise. The conductor came r

It goes from corporate espionage to some guy stealing credit card numbers as a 'hobby'.

I work at a major corporation that has security cards to get into the building and my computer is password protected with an encrypted hard drive & a physical lock on the computer. Are security guards with guns really necessary?

Depends on the situation. If your property is that valuable, perhaps. Now, consider this:
If people are willing to physically break into your facilities, that's passing the threshold that divides a cyber-violation to a physical violation. Statistically, breaking into someone's property usually correlates with a willingness to commit physical aggression. With that in mind, guns for security guards and LEO's are not simply to "shoot" the bad guys, but for them to protect themselves.

You plug into a network, right? Where's the switch? Where's your server? Where are the project files? Are they encrypted? Where are all of the domain controllers? Who has access to the printer hard drives? Are all of your co-irkers as conscientious as you are? Who controls access to the network closets? What's the procedure to access them? Can people get away with tailgating into the building?

Depending on your location the gun probably isn't necessary (unless your high executives are in the same

"You plug into a network, right? Where's the switch? Where's your server? Where are the project files? Are they encrypted? Where are all of the domain controllers? Who has access to the printer hard drives? Are all of your co-irkers as conscientious as you are? Who controls access to the network closets? What's the procedure to access them? Can people get away with tailgating into the building? "

We asked Borland or Inprise or whatever it was called at that moment for the source code for dBase III+ in the la

I'd say yes. Around '06, there was a data center in Chicago hit multiple times with racks of equipment "liberated" by armed robbers. It took a law passed in the city to allow companies to hire armed guards before this data center stopped getting hit.

I am amazed that this hasn't happened more, mainly because security usually are 1-2 HID card reader locks in most places. However, when thieves start to realize that a data center hit can not just net them a tidy sum of equipment, but the ability to blackmail

>Just put a "smoke and mirror entrance" system in front of the data center. When they come, lock them in there and call police.This is illegal (illegal confinement or arrest) and will make you criminally liable. #IANAL.

If your competitor can slow you down by destroying your work, passwords and encryption will not protect you. Of course if your competitor does that, he must be really stupid because you have off-site backups of everything right?

Yes you need physical security, to prevent the guy in the FedEx box replacing your keyboard with one with a hardware key logger. And planting a transmitter inside your machine to send out the data wirelessly once it has your encryption passwords.

Remember that all the the security in the world is considered worthless if the other person has physical access to your disk. Encryption can be broken in a number of different ways, it often simply isn't implemented correctly. However you have to recall that your encryption is really quite worthless when I can install a cheap camera above your desk or a keylogger on your keyboard and simply capture your password.

The reason we have a government is so that we can have strict controls on a small group of people who do what would otherwise be illegal. Somewhere along the line, we forgot about the strict controls, but that doesn't mean what they do should be suddenly legal.

While we've been concerned with Cyber Espionage it's still nice to see that old fashioned bribery and cunning are still in use and that countries and competitors will still go to whatever lengths are necessary to steal technology. We've allowed billions in technological innovations to be stolen and given away and it will come back to haunt us.

This. It's not virtual attacks that have "turned into physical". Physical attacks have never stopped. Heck, 15 years ago my grandmother got burglered, but the only think they took was the PC. Industrial espionage isn't a new phenomenon.

Just insure your code. Most of what's being written in the Valley is better off being metaphorically "burned down" for the insurance money anyway. Followed by... they stole the code for FaceBook or Twitter? Most of the value is in the branding and the infrastructure that allows them to scale. The code that's running in a particular VM, by itself, is probably not worth much.

This shouldn't really surprise someone. When you think about a data center or server rack is arguably about the most valuable square footage that you can have. Think of a comparison to a typical jewelry shop, it might have $250,000 to a $1,000,000 in a vault and it's not easy to liquidate for anything resembling it's retail value. Now think of a typical bank vault, it probably has a typical amount of money, and again liquidation is an issue (look up money laundering for the challenges drug dealers face plus serial numbers).

Now think of a single rack in a data-center where a low end server can easily cost $5000 and nobody blinks an eye at something costing $25,000. A single rack can easily be worth a million dollars or more depending on how it is loaded. You can also easily resell IT equipment or part it out and there is a much smaller chance of getting caught. Serial numbers are an issue of course, but if something gets sent overseas the cost of getting caught drops significanly while the value is pretty much retained.

If you were to look at the sheer value of the contents of a building the only buildings that could possibly compete with a data center would be the exceptional bank vault and factories such as where they build new jetliners.

What I've found is sometimes the best protection for data center rack protection is sometimes things that are fairly simple.

Something as simple as pin-Torx or pin-Robertson (square head) screws can keep equipment from vanishing, assuming the bits are stored somewhere fairly secure. It isn't near 100%, but it will slow someone down who managed to get in, and who is looking to unbolt something out of a rack and then make a break for it out the fire door.

You can also easily resell IT equipment or part it out and there is a much smaller chance of getting caught. Serial numbers are an issue of course, but if something gets sent overseas the cost of getting caught drops significanly while the value is pretty much retained.

Why bother with expensive, well paid hackers or going through the complexity of setting up a bot-net to break in to a competitor when you can sneak in the back door in the middle of the night, root through drawers until you find a sticky note with a password and get things the old fashioned way.

Hell, I get all of the secret information that I can ever use or sell just by filing freedom of information act req8uests with our friendly neighborhood NSA. It's a little redacted, but you still get plenty of information that the owners would like to keep private.

Aren't these companies encrypting their extremely valuable data? All of my computers use full-disk encryption and I don't have anything more valuable than old tax returns and my carefully curated p0rn collection. I've got a lot of my company's source code, but most of it will end up open sourced anyway, so it's not that valuable to a thief.

C'mon, guys, if you'd have done your attack trees [schneier.com], you'd know that the guy who empties the waste basket can install a keylogger for a day for much less cost than it would take to break your 4096 bit PGP key.

I suppose this story does highlight some changing costs on the nodes, though - if physical penetration is becoming more prevalent, then either the cost of hiring somebody to do it is falling (due to massive unemployment, perhaps?) or the costs of other attacks are rising.

The cost of doing it is dropping because the tools are getting cheaper, easier to use, and easier to deploy. A local software company got hacked by someone just plugging a wireless router into an unoccupied network port in a conference room and taping it under the table (they think it was a job applicant being interviewed), and then just browsing their network from the parking lot that night. I've heard (second hand) of an office where the janitorial staff plugged a netbook into a port under a desk, let it sniff all network traffic for a couple of days, and then handed it off to whoever hired them. I've seen USB keyloggers advertised for under $100, and some of the newer remote control/viewing software can be autoinstalled and is unnoticeable to the casual user. It just isn't rocket surgery any more.

I remember reading "War By Other Means" (http://www.amazon.com/War-Other-Means-Economic-Espionage/dp/0393318214/ref=sr_1_3?ie=UTF8&qid=1381510831&sr=8-3&keywords=war+by+other+means) more than 10 years ago.

The book starts off with how the USA, during it's early years, sent "spies" to European nations to gather their technology regarding weaving and agriculture, as well as the start of the industrial revolution, and how that enabled the USA to become a superpower, and now it's being turned around on us that other countries such as China are doing the same thing, except that they are doing it on a much larger scale.

That this is happening on a small scale in the valley is no surprise, since the lead-time on new tech is now incredibly small. Look how Samsung introduced a "smartwatch" based on a RUMOR that Apple was doing that.

And the fact that the US was basically the manufacturing powerhouse of the early 20th century. The US didn't win the war because it had better technology, or a larger war machine at the beginning of the war. It won because it produced 10-100x as many tanks/planes/jeeps/ships/oil/etc as the Germans and Japanese.

Sounds like the kindda stuff Kevin Mitnick was doing to The Phone Company decades ago. He once broke into a local Ma Bell office to steal manuals, as reported in his book "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker".

The book is a pretty good read. In it, Mitnick repeatedly claims he never profited from any of his adventures - except by selling books and becoming a security consultant, of course. Heck, some of the reported robbers in Silicon Valley might be even more ethical.

So, apparently shadowruns are a real thing now? I already knew William Gibson was just writing plain old fiction, but it still causes cognitive dissonance to realize I'm actually living in the dystopian future I read about back in the '80s.

Just happened to be staying in the same hotel and I don't recall what started us off but some how we struck up a conversation and he wound up telling me some great stories.

The story about the guy in the FexEx box is even better than the article makes out. Since they couldn't actually ship a person via FedEx for many reasons, the box had to seem to come from the right location which would have meant putting it on a plane, and what not. So to make it all look right Steve got himself a real FedEx uniform and p

Silicon Valley startups' ideas are mostly worthless by themselves. It's the real estate, hipster glasses, and quirky offices that have value. Being inside the Silicon Valley circle jerk, where VCs freely blow loads of money on startups is what has value.